How to Set up ACF2 to Validate PROGRAM Execution

Document ID : KB000027229
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

You can protect programs using SAF program validation. When a program is loaded or executed, a SAF Resource class PROGRAM  validation call is issued.  
This turns into a RACROUTE REQUEST=FASTAUTH, CLASS=PROGRAM call. CA ACF2 does not process REQUEST=FASTAUTH,CLASS=PROGRAM calls be default. You can create a SAFDEF record to validate this SAF call and  then resource rules can be written to validate the use of the program.                                   

Instructions:

  1. Create a generic rule for type(PGM) to allow access to all programs ie.

    $KEY(********) TYPE(PGM)
     UID(*) ALLOW

  2. Create specific rules for the program(s) to be protected ie.

    $KEY(PGMABC) TYPE(PGM)
    UID(useridx) PREVENT
    UID(useridy) ALLOW

    You can use masking to allow multiple program access via one rule, e.g.,

    $KEY(PGM*****) TYPE(PGM)
    UID(useridx) PREVENT 
    UID(useridy) ALLOW

    This will be used for all programs that begin with ?PGM'.

  3. Make the resource directory for type PGM resident via the GSO INFODIR record:

    ACF
    SET CONTROL(GSO)
    CHANGE INFODIR TYPES(R-RPGM) ADD

    (note: the directory must be GLOBALly resident and not DEMAND or TRANSIENT)

  4. Insert a GSO SAFDEF record to override the internal PROGMCHK SAFDEF record:

    ACF
    SET CONTROL(GSO)
    INSERT SAFDEF.PROGCHKX ID(PROGCHKX) MODE(GLOBAL) -
    RACROUTE(REQUEST=FASTAUTH,REQSTOR=PROGMCHK,SUBSYS=CONTENTS) REP

    The internal SAFDEF record has been designed to IGNORE all program requests and so will need to be overridden.

    PROGMCHK JOBNAME=******** USERID=******** PROGRAM=******** RB=********
              RETCODE=4                          SAFDEF=INTERNAL      MODE=IGNORE     SUBSYS=ACF2
              FUNCRET=4                          FUNCRSN=0

              RACROUTE REQUEST=FASTAUTH,REQSTOR='PROGMCHK',SUBSYS='CONTENTS'

  5. Create a GSO CLASMAP record to map the resource class PROGRAM to resource type PGM.

    ACF
    SET CONTROL(GSO)
    INSERT CLASMAP.PROGRAM RESOURCE(PROGRAM) RSRCTYPE(PGM)

    (Note: Violations can be logged be specifying the LOG parameter on the CLASMAP record, e.g. INSERT CLASMAP.PROGRAM RESOURCE(PROGRAM) RSRCTYPE(PGM) LOG )

  6. Issue a Refresh console command to make the INFODIR record effective:

    F ACF2,REFRESH(INFODIR)

  7. Issue a Rebuild console command to load the resident rules for type PGM:

    F ACF2,REBUILD(PGM),CLASS(R)

  8. Issue a Refresh console command to make the SAFDEF effective.

    It is important to note that as soon as the SAFDEF is activated, ALL program validations will be activated and if validation fails, an S306-34 abend will occur.

    F ACF2,REFRESH(SAFDEF)

Additional Information: 

FASTAUTH processing gets the required rule from storage and calls the resource rule interpreter. For this reason, the rules must be made globally resident via the GSO INFODIR record. If access is allowed, we will set an allow return code. If access is denied or no rule exists, we will check for unscoped security or non-cncl and if they are set, we will give an "allow but log" return code.

For FASTAUTH processing the following will not occur by default:

  1. No SMF records or ACF2 Violation messages or loggings.

    (Note: it is possible to log violations by specifying LOG on the CLASMAP record e.g. INSERT CLASMAP.PROGRAM RESOURCE(PROGRAM) RSRCTYPE(PGM) LOG

    This will override the LOG=NONE default specification on the RACROUTE REQUEST=FASTAUTH )

  2. No SVC exits are called.

    The message that is returned when a program validation is denied is determined by the program that is issuing the RACROUTE FASTAUTH calls. ACF2 does not control whether the CSV026I or CSV025I message is returned.

    Note: There are SAFDEF restrictions with FASTAUTH processing. When processing a SAF RACROUTE REQUEST=FASTAUTH request, CA ACF2 will recognize only the following fields of SAFDEF records in determining whether to process or ignore the request:

    MODE()
    RACROUTE(REQUEST=FASTAUTH,SUBSYS=,REQSTOR=,CLASS=)

    Other fields such as JOBNAME, PROGRAM, RB and RACROUTE(ENTITY=) will be ignored. In effect, FASTAUTH resource validation can be globally enabled or disabled, but cannot be enabled for one set of users or entities and disabled for others.